Phishing is a problem you hear about in the news, and you like to think of yourself as immune. I clicked a link that came in from a friend, and luckily, I noticed it was a phishing site.
What’s phishing, and what happened?
I have no patience for the small-minded wastrel “phisher” scum criminals, who sit there developing all manner of ways to scam people. To phish is to “fish” for information from unsuspecting people, by presenting a website that looks exactly like that of your bank website, or social network site such as Twitter, LinkedIn, Facebook, Google+ and so on. You see a link in an email, click on it, and are presented with a login website. You might then proceed to enter their login and password information there, but in the case of a phishing site, you are simply passing your name and password to the phishing scoundrel who set the site up.
This happened to me this past weekend. I got a “check this photo of you out” direct message in email, via Twitter, but it was from a friend, so I clicked the link in it. A couple of things told me it was not right -
- the browser refreshed multiple times
- the domain was a misspelling of twitter
- I was already logged into Twitter so why would it be asking me to log in again?
The second is obvious. Why would Twitter mis-spell their own domain. The first, not so obvious, but it indicates that the shortened link in the email message was linked to another shortcut link, linking to another shortcut link, and so on. A sign someone is trying to cover their tracks. The third made me sit up and take notice.
I made a few checks -
- took at look at the web page source (
ctrl-option-u), and sure enough there were misspellings and odd links in there - very unofficial looking.
- checked my Twitter, but I had no such DM from my friend in my Twitter account, which should have been there if it was legit.
So I deleted the mail after taking a screenshot, and gave my friend a heads-up, to change his password right away.
How can you avoid phishing scams?
- do not comply with any urgent requests for info via email, and always check. If it looks like your bank, call them and ask about status (but call using the number on your bank book or checkbook, that you know is good, rather than using a number that is presented to you in the phishing email itself). Along the same lines, use your own bookmarks to navigate to the banking site, and not any that have come in via email.
- be aware phishers leverage typically upsetting news, saying things like “your account is closed due to non-payment” and things of that nature. Confirm before you believe.
- watch for mis-spellings in the URL or in the body of the site itself. Most organizations are very careful about releasing poorly worded emails or web pages. If it seems off, check for it on Snopes; maybe someone has fallen for it before.
- are you already logged into the related website? If so, think: why are they asking you again so soon; is that normal? If you are using the same browser, that typically does not happen.
- learn how to confirm an SSL certificate. Generally, B2C business sites pay for a relatively expensive SSL certificate, which proves to you, they are who they say they are. See the screenshot for what it looks like in Chrome, but other browsers have a similar lock icon.
- be aware of legitimate messages from banks and other organizations, telling you what their behavior will be in cases your account is going to be closed or the link. I have received several, like: “we will never request your password via email”.
- watch out for variations of an electronic phishing scam, in that a caller identifying themselves as an officer of the organization, ”calling just to confirm something; could you please give me your PIN number?” A bank would never give its staff such a directive.
- use hard-to-guess passwords which are different from system to system - -that is, your Twitter, Flickr, and Google+ passwords should all be different from one another.
Perhaps this information will help someone stay a little more secure, in the future.